Parser does not handle MS-WSMV extension (encrypted Kerberos payload)

[bbannier]

If HTTP traffic contains Kerberos encrypted traffic it would have a header like

Content-Type: multipart/encrypted;protocol="application/HTTP-Kerberos-session-encrypted";boundary="Encrypted Boundary"

Our current parsing does not handle this. After stripping away the multipart prefix we end up with Message.content_type_parameter = b"protocol=\"application/HTTP-Kerberos-session-encrypted\";boundary=\"Encrypted Boundary\",". When trying to handle this in

spicy-http/analyzer/analyzer.spicy

Lines 96 to 104 in 48ce0b7

	if ( self.content_type[0] == b"MULTIPART" ) {
	local boundary = self.content_type_parameter.match(/boundary="([^"]*)"/, 1);
	if ( ! boundary )
	boundary = self.content_type_parameter.match(/boundary=([^ ;]*)/, 1);
	self.delivery_mode = DeliveryMode::Multipart;
	self.multipart_boundary = b"--" + *boundary + b"--\r\n";
	}

we do not anticipate to see something before boundary so we match nothing; this cause a protocol violation when dereferencing boundary which has no value,

spicy-http/analyzer/analyzer.spicy

Line 103 in 48ce0b7

self.multipart_boundary = b"--" + *boundary + b"--\r\n";

Zeek's builtin HTTP analyzer does not handle this either and instead reports a weird

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   weird
#open   2024-05-22-09-05-24
#fields name    addl    notice  peer    source
#types  string  string  bool    string  string
line_terminated_with_single_CR  -       F       zeek    CONTENTLINE
#close  2024-05-22-09-05-24